Overview
This guide walks you through registering an Azure AD application in your Microsoft 365 tenant. Once complete, you will have a Client ID and Tenant ID to paste into DeepMask’s Microsoft (Enterprise) connector — enabling your users to interact with SharePoint and Outlook date inside DeepMask.| What You’ll Get | Details |
|---|---|
| Azure App Registration | A single app entry in your Azure AD tenant that DeepMask uses to request access on behalf of your users. |
| Delegated Permissions | Read-only Microsoft Graph permissions. Each user can only see content they already have access to — no elevated service account. |
| Client ID | A unique identifier for your registered app. Paste this into DeepMask. |
| Tenant ID | Your organization’s Azure AD directory identifier. Paste this into DeepMask. |
DeepMask uses OAuth 2.0 delegated authentication. When a user connects their account, they sign in with their own Microsoft credentials. DeepMask never stores passwords or receives broader access than the user already has in your tenant.
Prerequisites
Before you begin, confirm you have the following:Required Access
- Microsoft 365 account (Business Basic or higher) — Your organization must have an active Microsoft 365 or Office 365 subscription with SharePoint Online and Outlook enabled.
- Azure AD Global Administrator or Application Administrator role — You need sufficient privileges to register applications and grant admin consent. If you are unsure of your role, ask your IT administrator.
- Access to Azure Portal — Navigate to portal.azure.com and confirm you can sign in with your admin account.
What You Do Not Need
- No developer tools, code, or command-line experience required
- No changes to existing SharePoint sites or permissions
- No service account or shared credentials
Step 1 — Register an Application in Azure AD
You will create a new App Registration in your Azure Active Directory. This is the entry point that DeepMask uses to identify itself with Microsoft.Navigate to App Registrations
Open Azure Portal
Open a browser and go to portal.azure.com. Sign in with your Global Administrator or Application Administrator account.
Fill in Registration Details
Enter the following values in the registration form:| Field | Value |
|---|---|
| Name | DeepMask SP Connector (or any name you prefer) |
| Supported account types | Accounts in this organizational directory only (Single tenant) |
| Redirect URI — Platform | Mobile and desktop applications |
| Redirect URI — URL | https://chat.deepmask.io/api/user/connectors/oauth/callback |
You should now see the app’s Overview page showing an Application (client) ID and Directory (tenant) ID. Do not close this tab — you will return here in Step 4.
Step 2 — Configure Authentication Settings
With the app registered, you need to enable the correct token and client flow settings so that DeepMask can complete authentication on behalf of your users.Enable token types
Under Implicit grant and hybrid flows, check both boxes:
- ☑ Access tokens (used for implicit flows)
- ☑ ID tokens (used for implicit and hybrid flows)
These settings allow DeepMask to receive tokens directly after the user signs in and to operate without requiring a client secret on the user’s device — which is the correct behaviour for a delegated, user-facing integration.
Step 3 — Configure API Permissions
DeepMask requires a small set of delegated Microsoft Graph permissions to read SharePoint and Outlook content on behalf of your users. No write permissions are requested.Add Permissions
Add a permission
Click + Add a permission, select Microsoft Graph, then choose Delegated permissions.
Search for and add each permission below
| Permission | Type | Purpose |
|---|---|---|
User.Read | Delegated | Read the signed-in user’s profile. |
Sites.Read.All | Delegated | Read all SharePoint sites the user has access to. |
Files.Read.All | Delegated | Read files in SharePoint document libraries. |
offline_access | Delegated | Maintain access via refresh token (keeps users signed in). |
Sites.Selected | Delegated | Optional — restrict access to specific sites only. |
Calendars.Read | Delegated | Read user calendars |
ChatMessage.Read | Delegated | Read user chat messages |
Contacts.Read | Delegated | Read user contacts |
Mail.Read | Delegated | Read user mail |
Mail.Read.Shared | Delegated | Read user and shared mail |
Mail.ReadBasic | Delegated | Read user basic mail |
MailboxItem.Read | Delegated | Read a user’s mailbox items |
Grant Admin Consent
After adding all permissions, you must grant admin consent so users are not prompted for individual approval on first sign-in.Step 4 — Find Your Client ID and Tenant ID
Both identifiers are visible on the app’s Overview page in Azure Portal.Navigate to your app
In the Azure Portal, go to Azure Active Directory → App registrations and click the name of the app you just registered (e.g. DeepMask SP Connector).
Open the Overview tab
You will land on the Overview tab. You will see two important values:
| Azure Portal Label | What to Copy → Where to Paste in DeepMask |
|---|---|
| Application (client) ID | → Client ID field in DeepMask |
| Directory (tenant) ID | → Tenant ID field in DeepMask |
These identifiers are not secrets — they do not grant access on their own. However, treat them like internal configuration values and avoid sharing them publicly.
Step 5 — Enter Credentials in DeepMask
With your Client ID and Tenant ID copied, you can now connect Microsoft (Enterprise) inside DeepMask.Open DeepMask
Open your browser and go to chat.deepmask.io. Sign in to your DeepMask account.
Paste your credentials
- Paste your Client ID into the Client ID field.
- Paste your Tenant ID into the Tenant ID field.
Sign in with Microsoft
A Microsoft sign-in window will open. Sign in with any user in your tenant and grant the requested permissions when prompted (this only appears once per user).
DeepMask is now connected to your M365 tenant. Users can search files, sites, and list items from within DeepMask — limited to content they already have access to.
Troubleshooting
If you run into issues during setup or after connecting, refer to the scenarios below.”Need Admin Approval” screen appears during sign-in
Cause: Admin consent was not granted for the app, or the tenant’s user consent policy is set to block all user-initiated consent. Resolution:- In Azure Portal, go to Azure Active Directory → App registrations.
- Open your app and click API permissions in the sidebar.
- Click Grant admin consent for [Your Organization] and confirm.
- Ask the affected user to try signing in again.
”Insufficient privileges” or 403 error when browsing SharePoint
Cause: TheSites.Read.All or Files.Read.All permission is missing, or admin consent was not completed.
Resolution:
- Verify all four required permissions are listed on the API permissions page.
- Confirm the Status column shows a green checkmark (admin consent granted) for each.
- If a permission is missing, click + Add a permission, add it, then re-grant admin consent.
Wrong tenant — users from another organization are being prompted
Cause: The Tenant ID entered in DeepMask does not match your organization’s Azure AD directory. Resolution:- In Azure Portal, go to Azure Active Directory → Overview and copy the Tenant ID shown there.
- Compare it to what is configured in DeepMask.
- Also confirm that Supported account types is set to Single tenant (not multi-tenant).
Redirect URI mismatch error after sign-in
Cause: The Redirect URI in your app registration does not exactly match the one DeepMask sends. Resolution:- In Azure Portal, open your app and click Authentication in the sidebar.
- Under Mobile and desktop applications → Redirect URIs, confirm the entry is exactly:
https://chat.deepmask.io/api/user/connectors/oauth/callback - No trailing slash. No
http://variant. Save and retry.
User can sign in but sees no SharePoint sites
Cause: The signed-in user does not have any SharePoint site memberships in the tenant, or sites are restricted. Resolution:- Confirm the user has been added as a member to at least one SharePoint site.
- In SharePoint Admin Center, verify the site is not restricted or archived.
- If
Sites.Selectedwas added, ensure the specific sites have been explicitly granted to the app via the SharePoint Admin API.
Security & Privacy
DeepMask is designed so that you retain full control of your data and your users’ access. This section explains the key security properties of the SharePoint integration.Delegated Authentication
DeepMask uses OAuth 2.0 delegated permissions, not application-level (app-only) permissions. This means:- Every action performed by DeepMask is done on behalf of the signed-in user.
- A user can only read SharePoint content they already have permission to access.
- DeepMask cannot bypass SharePoint’s existing role-based access controls.
- Removing a user’s SharePoint access in Microsoft 365 immediately removes their access in DeepMask.
No Stored Credentials
DeepMask does not store your Microsoft password, your Client Secret, or raw SharePoint content. Authentication is handled entirely through short-lived OAuth access tokens and refresh tokens, which are encrypted at rest.No Service Account
Unlike some integrations that use a single shared service account to access all data, DeepMask authenticates each user individually. This ensures audit logs in your Microsoft 365 tenant accurately reflect which user accessed which content.Read-Only Permissions
The permissions configured in this guide are strictly read-only. DeepMask requests no write, delete, or administrative permissions. It cannot create, modify, or delete files, lists, or sites.Revoking Access
To disconnect DeepMask from your tenant at any time:- Option A: In DeepMask → Integrations → SharePoint, click Disconnect.
- Option B: In Azure Portal → Enterprise Applications, find
DeepMask SP Connectorand delete it.
Questions about data residency, compliance, or security? Contact DeepMask support at support@deepmask.io.